0

I'm using the following yaml in my GitHub repository to publish NuGet packages to Azure Artifacts and GitHub packages on each commit and to the official NuGet repository when I use a Git Tag.

- stage: Deploy
  jobs:
  - deployment: AzureArtefacts
    displayName: 'Azure Artefacts'
    pool:
      vmImage: windows-latest
    environment: 'Azure Artefacts'
    strategy:
      runOnce:
        deploy:
          steps:
          - task: NuGetToolInstaller@1
            displayName: 'NuGet Install'
          - task: NuGetAuthenticate@0
            displayName: 'NuGet Authenticate'
          - script: nuget push $(Agent.BuildDirectory)\Windows\*.nupkg -Source https://pkgs.dev.azure.com/serilog-exceptions/_packaging/serilog-exceptions/nuget/v3/index.json -ApiKey AzureArtifacts -SkipDuplicate
            displayName: 'NuGet Push'
            failOnStderr: true
  - deployment: GitHub
    pool:
      vmImage: windows-latest
    environment: 'GitHub'
    strategy:
      runOnce:
        deploy:
          steps:
          - task: NuGetToolInstaller@1
            displayName: 'NuGet Install'
          - script: nuget source Add -Name GitHub -Source https://nuget.pkg.github.com/RehanSaeed/index.json -UserName $(GitHubUserName) -Password $(GitHubPersonalAccessToken)
            displayName: 'NuGet Add Source'
            failOnStderr: true
          - script: nuget push $(Agent.BuildDirectory)\Windows\*.nupkg -Source GitHub -SkipDuplicate
            displayName: 'NuGet Push'
            failOnStderr: true
  - deployment: NuGet
    pool:
      vmImage: windows-latest
    environment: 'NuGet'
    condition: startsWith(variables['Build.sourceBranch'], 'refs/tags/')
    strategy:
      runOnce:
        deploy:
          steps:
          - task: NuGetToolInstaller@1
            displayName: 'Install NuGet'
          - script: nuget push $(Agent.BuildDirectory)\Windows\*.nupkg -Source https://api.nuget.org/v3/index.json -ApiKey $(NuGetApiKey) -SkipDuplicate
            displayName: 'NuGet Push'
            failOnStderr: true

This works fine when I checkin but when someone creates a PR, the above publish steps fail because:

  • Azure Artifacts - The user does not have permissions.
  • GitHub - The user does not have access to use the secret variables GitHubUserName and GitHubPersonalAccessToken.
  • NuGet - The build is not running from a Git tag so this step does not run.

Is it possible to safely run the Azure Artifacts and GitHub publish steps from PR's? In particular, I don't want someone changing the azure-pipelines.yml or my Cake build build.cake file to steal my secret variables or publish their own packages.

If this is not possible, I guess I have to skip these steps from PR's. How can I do this?

Muhammad Rehan Saeed
  • 35,627
  • 39
  • 202
  • 311
  • my first thought is that you need two build definitions. Both can point to the same yaml/cake script, but the PR build should not have any secrets defined and the other build should only be triggered on changes to locked branches or new tags. If you re-use the same yaml, then you need conditions to skip steps when the secret value is not defined. – zivkan Oct 10 '19 at 15:39
  • @Muhammad Rehan Saeed, Why unmarked? May I know the reason for it? Please let us know if you would like further assistance. – Leo Liu Oct 14 '19 at 01:27
  • I was hoping someone could one day provide a solution that could allow PR's to be deployed. Perhaps that's unrealistic, have the tick back. – Muhammad Rehan Saeed Oct 14 '19 at 07:42

1 Answers1

1

If this is not possible?

I am afraid this is impossible to do that. Since the user do not have the permissions, the secret variables GitHubUserName and GitHubPersonalAccessToken. This is the key to this issue and cannot be circumvented, if you don't want to leak your secret variables.

I guess I have to skip these steps from PR's. How can I do this?

The answer is yes.

You could use the expression evaluates the built-in variable Build.Reason to determine if the task is executing the build as part of a pull request branch policy, like:

condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))

Then those task will be skip when the build is triggered by the PullRequest.

Check the document Conditions for some more details.

Hope this helps.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135